Cryptocurrency exchange Bybit experienced a security breach resulting in the unauthorized transfer of over $1.4 billion in liquid-staked Ether (ETH) and MegaETH (mETH). The exchange reported unauthorized access to one of its Ethereum Ethereum Ethereum is an open source, blockchain-based distributed computing platform and operating system featuring smart contract functionality. Created in 2014, Ethereum now stands as the second largest cryptocurrency by market cap at the time of writing.As a decentralized cryptocurrency network and software platform, Ethereum represents the most prominent altcoin. Ethereum also enables the creation Distributed Applications, or dapps. Understanding EthereumEthereum boasts its own programming language, Ethereum is an open source, blockchain-based distributed computing platform and operating system featuring smart contract functionality. Created in 2014, Ethereum now stands as the second largest cryptocurrency by market cap at the time of writing.As a decentralized cryptocurrency network and software platform, Ethereum represents the most prominent altcoin. Ethereum also enables the creation Distributed Applications, or dapps. Understanding EthereumEthereum boasts its own programming language, Read this Term cold wallets on February 21, 2025.

The incident took place during a multisignature transaction facilitated through Safe Wallet. A threat actor intercepted the process, altered the transaction, and gained control of the wallet. The attacker then transferred the funds to a separate wallet under their control.

Following the discovery, Bybit engaged cybersecurity Cybersecurity Cybersecurity is a blanket term that refers to the protection of computer systems and networks from the theft.More broadly speaking, cybersecurity can also represent countermeasures against damage to hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.It was not long ago that the term cybersecurity not exist as it was first used in 1989. In today’s vernacular cybersecurity, refers to measures taken to protect a computer or computer Cybersecurity is a blanket term that refers to the protection of computer systems and networks from the theft.More broadly speaking, cybersecurity can also represent countermeasures against damage to hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.It was not long ago that the term cybersecurity not exist as it was first used in 1989. In today’s vernacular cybersecurity, refers to measures taken to protect a computer or computer Read this Term firm Sygnia to conduct a forensic investigation. The investigation aimed to determine the source of the compromise, assess the extent of the attack, and implement measures to prevent future incidents.

Investigation Findings

The forensic analysis identified that malicious JavaScript code had been injected into a resource served from Safe Wallet’s AWS S3 bucket. The modification timestamp and historical web records suggest that the code was added on February 19, 2025, two days before the unauthorized transaction.

Bybit Hack Forensics Report
As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains
Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW

— Ben Zhou (@benbybit) February 26, 2025

The injected code was designed to manipulate transaction data during the signing process. It activated only when the transaction originated from specific contract addresses, including Bybit’s contract and another unidentified address. This suggests that the attacker had predefined targets for the exploit.

Safe Wallet JavaScript Modified Before Attack

Forensic examination of Chrome browser cache files from the three signers’ systems confirmed the presence of the compromised JavaScript resource at the time of the transaction. These files indicated that the Safe Wallet resource was last modified shortly before the attack.

Further analysis revealed that two minutes after the fraudulent transaction was executed, new versions of the affected JavaScript files were uploaded to SafeWallet’s AWS S3 bucket, removing the injected code. This suggests an attempt to conceal the unauthorized modification.

Public web archives captured two snapshots of Safe Wallet’s JavaScript resources on February 19, 2025. The first snapshot contained the original, unaltered version, while the second snapshot showed the presence of the malicious code. This further supports the conclusion that the attack originated from Safe Wallet’s AWS infrastructure.

No Evidence of Bybit Infrastructure Breach

At this stage, the forensic investigation has not found any evidence of a compromise within Bybit’s own infrastructure. The unauthorized access appears to have been facilitated through vulnerabilities in SafeWallet’s systems. Bybit and Sygnia are continuing their investigation to confirm the findings and assess any additional risks.

“The preliminary forensic review finds that our system was not compromised. While this incident underscores the evolving threats in the crypto space, we are taking proactive steps to reinforce security and ensure the highest level of protection for our users,” said Ben Zhou, Co-founder and CEO of Bybit.